Darlington Town Mission

Registered Charity No 235572

 

  DATA PROTECTION POLICY

 

Policy No P3

Adopted: 7th August 2018

Darlington Town Mission is committed to protecting all information that we handle about people we support and work with, and to respecting people’s rights around how their information is handled. This policy explains our responsibilities and how we will meet them.

Contents

Section A – What this policy is for

1​Policy Statement​

2.​Why this policy is important​

3.​How this policy applies to you & what you need to know​

4.​Training and guidance​

Section B – Our data protection responsibilities​

5.​What personal information do we process?​

6.​Making sure processing is fair and lawful​

7.​When we need consent to process data​

8.​Processing for specified purposes​

9.​Data will be adequate, relevant and not excessive​

10.​Accurate data​

11.​Keeping data and destroying it​

12.​Security of personal data​

13.​Keeping records of our data processing​

Section C – Working with people we process data about (data subjects)​

14.​Data subjects’ rights​

15.​Direct marketing​

Section D – working with other organisations & transferring data​

16.​Sharing information with other organisations​

17.​Data processors​

Section E – Managing change & risks​

18.​Dealing with data protection breaches​

Schedule 1 – Definitions and useful terms​

Schedule 2 – ICO Registration & correspndence address for the Chair of Trustees​

 

 

Section A – What this policy is for 

1. Policy statement

1.1​Darlington Town Mission is committed to protecting personal data and respecting the rights of our data subjects; the people whose personal data we collect and use. We value the personal information entrusted to us and we respect that trust, by complying with all relevant laws, and adopting good practice.

We process personal data to help us:

a) maintain our list of Trustees, Volunteers, Members, and Supporters;

b) provide services and support to our Friends

c) safeguard adults at risk;

d) recruit, support and manage staff and volunteers;

e) maintain our accounts and records; 

f) promote our services;

g) respond effectively to enquirers and handle any complaints;

h) process Donations and Gift Aid Claims.

1.2 This policy has been approved by the Charity Trustees who are responsible for ensuring that we comply with all our legal obligations. It sets out the legal rules that apply whenever we obtain, store or use personal data.

2.Why this policy is important

2.1 We are committed to protecting personal data from being misused, getting into the wrong hands or being shared carelessly, or being inaccurate.

2.2 This policy sets out the measures we are committed to taking as an organisation and, what each of us will do to ensure we comply with the relevant legislation.

2.3 We will make sure that all personal data is:

a) processed lawfully, fairly and in a transparent manner;

b) processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes;

c) adequate, relevant and limited to what is necessary for the purposes for which it is being processed;

d) accurate and up to date;

e) not kept longer than necessary for the purposes for which it is being processed;

f) processed in a secure manner, by using appropriate technical and organisational means;

g) processed in keeping with the rights of data subjects regarding their personal data.

3. How this policy applies to you & what you need to know

3.1 As an employee, trustee or volunteer processing personal information on behalf of the Mission, you are required to comply with this policy. If you think that you have accidentally breached the policy, it is important that you contact the Chair of Trustees immediately so that we can take swift action to try and limit the impact of the breach. 

Anyone who breaches the Data Protection Policy may be subject to disciplinary action, and where that individual has breached the policy intentionally, recklessly, or for personal benefit they may also be liable to prosecution or to regulatory action.

3.2 As a data subject of Darlington Town Mission: We will handle your personal information in line with this policy.

3.3 The Trustees are responsible for advising employees and Volunteers about their legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches and with the development of this policy. Any questions about this policy or any concerns that the policy has not been followed should be sent in writing to the Chair of Trustees at the address given in  Schedule 2.

3.4 Before you collect or handle any personal data as part of your work (paid or otherwise) for Darlington Town Mission, it is important that you take the time to read this policy carefully and understand what is required of you, as well as the organisation’s responsibilities when we process data. 

4. Training and guidance

4.1 Our procedures will be in line with the requirements of this policy, but if you are unsure about whether anything you plan to do, or are currently doing, might breach this policy you must first speak to the Chair of Trustees.

4.2 We will provide general training for all staff and volunteers to raise awareness of their obligations and our responsibilities, as well as to outline the law.  

4.3 We may also issue procedures, guidance or instructions from time to time.  

Section B – Our data protection responsibilities

5. What personal data do we process?

5.1 Data we receive straight from the person it is about, for example, where they complete forms or contact us and from other sources including previous employers, donation processors, Inland Revenue

5.2 We process personal data in both electronic and paper form and all this data is protected under data protection law. The personal data we process can include information such as names and contact details, education or employment details, medical details, next of kin and visual images of people.

5.3 In some cases, we hold “special categories” of data that can only be processed under strict conditions, see Schedule 1 for definition.

5.4 We will not hold information relating to criminal proceedings or offences or allegations of offences unless there is a clear lawful basis to process this data such as where it fulfils one of the substantial public interest conditions in relation to the safeguarding of individuals at risk or one of the additional conditions relating to criminal convictions set out in either Part 2 or Part 3 of Schedule 1 of the Data Protection Act 2018.  This processing will only ever be carried out on the advice of the Management Team.

5.5 Other data may also be considered ‘sensitive’ such as bank details but will not be subject to the same legal protection as the types of data listed above.

6.Making sure processing is fair and lawful

6.1 Processing of personal data will only be fair and lawful when the purpose for the processing meets a legal basis, as listed below, and when the processing is transparent. This means we will provide people with an explanation of how and why we process their personal data at the point we collect data from them, as well as when we collect data about them from other sources.

How can we legally use personal data?

6.2 Processing of personal data is only lawful if at least one of these legal conditions, as listed in Article 6 of the GDPR, is met:

a) the processing is necessary for a contract with the data subject;

b) the processing is necessary for us to comply with a legal obligation;

c) the processing is necessary to protect someone’s life (this is called “vital interests”);

d) the processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law;

e) the processing is necessary for legitimate interests pursued by Darlington Town Mission or another organisation, unless these are overridden by the interests, rights and freedoms of the data subject.

f) If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent.

How can we legally use ‘special categories’ of data?

6.3 Processing of ‘special categories’ of personal data is only lawful when, in addition to the conditions above, one of the extra conditions, as listed in Article 9 of the GDPR, is met. These conditions include where:

a) the processing is necessary for carrying out our obligations under employment and social security and social protection law;

b) the processing is necessary for safeguarding the vital interests (in emergency, life or death situations) of an individual and the data subject is incapable of giving consent;

c) the processing is carried out in the course of our legitimate activities and only relates to our Friends or persons we are in regular contact with in connection with our purposes;

d) the processing is necessary for pursuing legal claims. 

e) If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their explicit consent.

6.4 Before deciding which condition should be relied upon, we may refer to the original text of the GDPR as well as any relevant guidance and seek legal advice as required.

What must we tell individuals before we use their data?

6.5 If personal data is collected directly from the individual, we will inform them about; our identity/contact details and those of the Chair of the Trustees, the reasons for processing, and the legal basis, explaining our legitimate interests, and explaining, where relevant, the consequences of not providing data needed for a contract or statutory requirement; who we will share the data with; how long the data will be stored and the data subjects’ rights.

This information is commonly referred to as a ‘Privacy Notice’. 

This information will usually be given at the time when the personal data is collected.

6.6 If data is collected from another source, rather than directly from the data subject, we will provide the data subject with the information described in section  6.5as well as: the categories of the data concerned; and the source of the data.

This information will be provided to the individual in writing and no later than within 1 month after we receive the data, unless a legal exemption under the GDPR applies. If we use the data to communicate with the data subject, we will at the latest give them this information at the time of the first communication. 

If we plan to pass the data onto someone else outside of Darlington Town Mission, we will give the data subject this information before we pass on the data.

7. When we need consent to process data

7.1 Where none of the other legal conditions apply to the processing, and we are required to get consent from the data subject, we will clearly set out what we are asking consent for, including why we are collecting the data and how we plan to use it. Consent will be specific to each process we are requesting consent for and we will only ask for consent when the data subject has a real choice whether or not to provide us with their data.

7.2 Consent can however be withdrawn at any time and if withdrawn, the processing will stop. Data subjects will be informed of their right to withdraw consent and it will be as easy to withdraw consent as it is to give consent.

8.Processing for specified purposes

8.1 We will only process personal data for the specific purposes explained in our privacy notices (as described above in section  6.5.) or for other purposes specifically permitted by law. We will explain those other purposes to data subjects in the way described in section 6, unless there are lawful reasons for not doing so. 

9. Data will be adequate, relevant and not excessive

9.1​We will only collect and use personal data that is needed for the specific purposes described above (which will normally be explained to the data subjects in privacy notices). We will not collect more than is needed to achieve those purposes. We will not collect any personal data “just in case” we want to process it later. 

10. Accurate data

10.1 We will make sure that personal data held is accurate and, where appropriate, kept up to date. The accuracy of personal data will be checked at the point of collection and at appropriate points later on. 

11. Keeping data and destroying it

11.1 We will not keep personal data longer than is necessary for the purposes that it was collected and will comply with official guidance about retention periods for specific records. 

11.2 Information about how long we will keep records can be found in our Data Retention Schedule.

12. Security of personal data

12.1 We will use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.

12.2 We will implement security measures which provide a level of security which is appropriate to the risks involved in the processing. 

Measures will include technical and organisational security measures. In assessing what measures are the most appropriate we will consider the following, and anything else that is relevant:

a) the quality of the security measure;

b) the costs of implementation;

c) the nature, scope, context and purpose of processing;

d) the risk (of varying likelihood and severity) to the rights and freedoms of data subjects;

e) the risk which could result from a data breach.

12.3 Measures may include:

a) technical systems security;

b) measures to restrict or minimise access to data;

c) measures to ensure our systems and data remain available, or can be easily restored in the case of an incident;

d) physical security of information and of premises used by us;

e) organisational measures, including policies, procedures, training and audits;

f) regular testing and evaluating of the effectiveness of security measures.

13. Keeping records of our data processing

13.1 To show how we comply with the law we will keep clear records of our processing activities and of the decisions we make concerning personal data (setting out our reasons for those decisions). 

Section C – Working with people we process data about (data subjects)

14. Data subjects’ rights

14.1 We will process personal data in line with data subjects' rights, including their right to:

a) request access to any of their personal data held by us (known as a Subject Access Request);

b) ask to have inaccurate personal data changed; 

c) restrict processing, in certain circumstances; 

d) object to processing, in certain circumstances, including preventing the use of their data for direct marketing;

e) data portability, which means to receive their data, or some of their data, in a format that can be easily used by another person (including the data subject themselves) or organisation;

f) withdraw consent when we are relying on consent to process their data.

14.2 If a colleague receives any request from a data subject that relates or could relate to their data protection rights, this will be forwarded to the Chair of Trusteesimmediately.

14.3 We will act on all valid requests as soon as possible, and at the latest within forty calendar days, unless we have reason to, and can lawfully extend the timescale. This can be extended by up to two months in some circumstances. 

14.4 All data subjects’ rights are provided free of charge, except  a request to access the subjects personal data where the Mission may charge a fee of £10.

14.5 Any information provided to data subjects will be concise and transparent, using clear and plain language.

15.Direct marketing

15.1 We will comply with the rules set out in the GDPR, the Privacy and Electronic Communications Regulations (PECR) and any laws which may amend or replace the regulations around direct marketing. This includes, but is not limited to, when we contact data subjects by post, email, text message, social media messaging and telephone (both live and recorded calls). 

Direct marketing means the communication (by any means) of any advertising or marketing material which is directed, or addressed, to individuals. “Marketing” does not need to be selling or advertising a commercial product. It includes contact made by organisations to individuals for the purposes of promoting the organisation’s aims.

15.2 Any direct marketing material that we send will identify Darlington Town Mission as the sender and will describe how people can object to receiving similar communications in the future. If a data subject exercises their right to object to direct marketing, we will stop the direct marketing as soon as possible. 

Section D – working with other organisations & transferring data

16. Sharing information with other organisations

16.1 We will only share personal data with other organisations or people when we have a legal basis to do so and if we have informed the data subject about the possibility of the data being shared (in a privacy notice), unless legal exemptions apply to informing data subjects about the sharing. Only authorised and properly instructed Trustees and staff are allowed to share personal data. 

16.2 We will keep records of information shared with a third party, which will include recording any exemptions which have been applied, and why they have been applied.  Legal advice will be sought as required.

17. Data processors

17.1 Before appointing a contractor to process personal data on our behalf (a data processor) we will carry out appropriate checks to ensure the processor will comply with data protection law, including keeping the data secure and upholding the rights of data subjects. We will only appoint data processors who can provide us with sufficient guarantees that they will do this.

17.2We will only appoint data processors under a written contract that will require the processor to comply with all relevant legal requirements. We will continue to monitor the data processing, and compliance with the contract, throughout the duration of the contract.

Section E – Managing change & risks

18. Dealing with data protection breaches

18.1 Where staff or volunteers believe this policy has not been followed, or data might have been breached or lost, this will be reported immediately to the Chair of the Trustees 

18.2 We will keep records of personal data breaches, even if we do not report them to the ICO. 

18.3 We will report data breaches likely to result in a risk to any person to the ICO. Reports will be made to the ICO within 72 hours from when someone in the Mission becomes aware of the breach. 

18.4 Where a personal data breach causes a high risk to any person, we will (as well as reporting the breach to the ICO), inform data subjects whose information is affected, without undue delay.        ​ 

This can include for example: when bank account details are lost or an email containing sensitive information is sent to the wrong recipient. Informing data subjects can enable them to take steps to protect themselves and/or to exercise their rights. 

 

Schedule 1 – Definitions and useful terms

The following terms are used throughout this policy and have their legal meaning as set out within the GDPR. The GDPR definitions are further explained below:

Data controller means any person, company, authority or other body who (or which) determines the means for processing personal data and the purposes for which it is processed. It does not matter if the decisions are made alone or jointly with others.

The data controller is responsible for the personal data which is processed and the way in which it is processed. We are the data controller of data which we process.

Data processors include any individuals or organisations, which process personal data on our behalf and on our instructions e.g. an external organisation which provides secure waste disposal for us. This definition will include the data processors’ own staff (note that staff of data processors may also be data subjects).

Data subjects include all living individuals who we hold or otherwise process personal data about. A data subject does not need to be a UK national or resident. All data subjects have legal rights in relation to their personal information. Data subjects that we are likely to hold personal data about include:

a) the people we care for and support;

b) our employees (and former employees);

c) consultants/individuals who are our contractors or employees working for them;

d) volunteers;

e) trustees;

f) complainants;

g) supporters;

h) enquirers;

i) friends and family;

j) advisers and representatives of other organisations.

ICO means the Information Commissioners Office which is the UK’s regulatory body responsible for ensuring that we comply with our legal data protection duties. The ICO produces guidance on how to implement data protection law and can take regulatory action where a breach occurs. 

Personal data means any information relating to a natural person (living person) who is either identified or is identifiable. A natural person must be an individual and cannot be a company or a public body. Representatives of companies or public bodies would, however, be natural persons. 

Personal data is limited to information about living individuals and does not cover deceased people.

Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

Privacy notice means the information given to data subjects which explains how we process their data and for what purposes. 

Processing is very widely defined and includes any activity that involves the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing can also include transferring personal data to third parties, listening to a recorded message (e.g. on voicemail) or viewingpersonal data on a screen or in a paper document which forms part of a structured filing system. Viewing of clear, moving or stills images of living individuals is also a processing activity.

Special categories of data (as identified in the GDPR) includes information about a person’s:

k) Racial or ethnic origin;

l) Political opinions; 

m) Religious or similar (e.g. philosophical) beliefs;

n) Trade union membership;

o) Health (including physical and mental health, and the provision of health care services);

p) Genetic data;

q) Biometric data;

r) Sexual life and sexual orientation. 

Schedule 2 – ICO Registration

 

Data Controller: Darlington Town Mission

Registration Number: Z9102124

Date Registered: 06/09/2007 Registration Expires: 05/09/2018

Address:

c/o 2 Davison Road

Darlington

Co Durham

DL1 3DR

 

Correspondence address for The Chair of Trustees:

c/o 2 Davison Road

Darlington

Co Durham

DL1 3DR

 

 

12

 

 

 

 

Privacy statement

What is this statement about?
Darlington Town Mission (DTM) is committed to protecting your privacy. This statement explains when, how and why we collect information about you, how we use it, the circumstances in which we may disclose it to others and the way we work to keep your information safe and secure.

Who are we, how you can contact us and other useful contacts
Darlington Town Mission is a registered charity which aims to reduce isolation and provide companionship to elderly people in Darlington.

We are a registered charity no 235572. Darlington Town Mission is registered with the Information Commissioners Office with the registration reference Z9102124.
You can raise any queries about this statement by contacting our Data Protection Officer at dtmission@btconnect.com
Our address is

C/o 2 Davison Road

Darlington

DL1 3DR

You can find further information on data protection and privacy by following the links below:

ico.org.uk
gov.uk

What information do we collect about you?
The information we collect will vary depending on reason for our interaction with you but may include your name, postal address, phone number, email address, date of birth, next of kin, medical details, bank details, your IP address (the location of your computer on the internet), pages accessed on our website, information about your interests and hobbies and any other information that is reasonably necessary.

Why we collect information about you
We collect information so that we may:

  • provide you with the service(s) you have requested
  • keep you informed of what we are doing
  • ask you to assist us in fundraising activities or process a donation to us
  • comply with our administrative duties, financial regulations and the law


How do we collect information about you?
We collect and store information about you whenever you interact with us including for example when you register with us to receive any of our services, when you apply to work for or volunteer with us, when you make a donation to us or leave us a legacy or otherwise give us any other personal information.

We may also receive information about you from third parties for a specific purpose, for example when you are referred to us by the National Health Service.

How do we use your information?
We may use your information to:

  • fulfil your request to receive a service from us or to provide you with any requested information
  • process and verify any financial transactions arising from donations to us, 
  • record and process any interaction we have with you
  • process any job or volunteering role application
  • communicate with you about our services and our mission
  • comply with our administrative duties, financial regulations and the law
  • carry out research to improve and promote Darlington Town Mission 


We fully understand and accept the fact that when you provide us your information you expect us to keep it safely and may not want us to share it with other organisations.

We will never sell or rent your information

We will treat your information as confidential and only share it with, for example:

  • your family, next of kin, friends or associates who act on your behalf
  • our volunteers and/or employees who provide you with a service
  • medical professionals in the event of a medical emergency or if you are unwell
  • the Police, courts or any other regulatory authority

How we look after your information
We take the security of your information seriously and are bound by law to ensure your information is kept safely. We will use all reasonable efforts to do this. In the unlikely event that our processes do not meet our high standards we will tell you immediately.

When we collect information, we will only collect what we need and keep it to a minimum. We will adhere to our internal policies and will abide by laws and the recommendations of regulatory bodies such as the Information Commissioners Office and the Charity Commission. See the links above.

We will take appropriate physical, electronic and managerial measures to ensure that we keep your information secure and we will only keep it as long as is reasonable and necessary. Information kept on our computer systems and technical devices are encrypted with passwords to prevent unauthorised access.

Using our website
You may browse our website without disclosing any information to us. However, if you visit our website anonymously, we may still record information about the areas of the website you visit, the amount of time you spend on it, whether you are new to it or have visited it before, how you came to our website – for example, through an email link or a search engine - and the type of computer, browser, network location and internet connection you use. This information doesn't tell us anything about who you are or where you live; it simply allows us to monitor and improve our service.

If you visit our website and provide information about yourself, perhaps to make a donation or request a service from us, we will treat that information in accordance with this statement.

Job applications and volunteering opportunities
If you apply for a job or volunteering opportunity with us we will collect information to assess your suitability for the role. We will only use the information you give us to process your application and to monitor recruitment statistics and undertake relevant checks.

Darlington Town Mission will put together a file about your employment or volunteering role which will be kept secure, used only for matters that apply directly to your role with us and kept after your role with us has ended in accordance with our record retention policy. You can contact us to find out more about this.

Your rights and choices
Current legislation gives you the right to see all the personal information we hold on you, the right to have it amended and the right to stop us causing you damage or distress (we hope we never do).

If you want to see the information we hold on you then you can send a request to the Data Protection Officer at the address above. We may charge you a £10 fee for this service and will deal with every request promptly and independently.

We will send updates about the charity to service users, volunteers and employees to keep them informed of the work that we do. You have a choice about whether you receive information from us. If you do not want to receive direct marketing communications from us about the work that we do and our services and activities then you can select your choices by ticking the relevant boxes in the form we use to collect your information. You can always change your preferences at any time by contacting us at:
dtmission@btinternet.com or the postal address above.

Statement Review
We will keep this statement under regular review. This statement was last reviewed in May 2018.